Privacy Policy

Privacy Policy

(available here: https://billinkpayments.com/privacy-policy/)

Last updated: 4th of June 2025

Introduction

This Privacy Policy describes how Practice Administration Technologies Limited, trading as Billink Payments (“Billink”, “we”, “us”, “our”), a company incorporated in Ireland (CRO 677226) with its registered office at 10 Clanwilliam Square, Grand Canal Quay, Dublin 2, D02 N884, Ireland, processes personal data in connection with the provision of our payment services to healthcare providers, consultants, and their patients.

We are committed to protecting personal information and complying with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, and the Data Protection Act 2018.

Billink acts as:

  • Data Processor – when we process patient personal data on behalf of healthcare providers and consultants.
  • Data Controller – for limited purposes such as operating our own website, billing our customers, monitoring for fraud/security, and managing support relationships.

In all cases, healthcare providers remain the data controller in respect of patient data, and Billink only processes such data strictly in accordance with their instructions. For limited purposes (such as fraud prevention, logging, and compliance), Billink may act as an independent controller.

Categories of Personal Data

We may process the following categories of data:

  • Patient data (as processor): name, contact details (mobile number, email), payment details, payment history, transaction identifiers.
  • Practice staff and customer data (as controller): practice contact information, staff user accounts, billing and invoicing details.
  • Technical and communications data: device/browser information, IP address, log data, SMS/WhatsApp/email delivery statuses.
  • Support and communication data: records of emails, chat, or support tickets.

We do not process clinical or special category medical records. Healthcare providers remain responsible for clinical data stored in their electronic health record (EHR) systems.

Purposes of Processing

We process data for the following purposes:

  • Payment processing: enabling practices to send payment requests and patients to complete payments.
  • Reconciliation and reporting: updating the practice’s system when payments are completed.
  • Facilitating communications: enabling practices to securely send payment requests, reminders, receipts, and administrative messages to patients and team members.
  • Customer account management: billing, invoicing, and communications with practices.
  • Security and fraud prevention: monitoring system activity and protecting against misuse.
  • Legal and compliance obligations: including PCI DSS, GDPR, and consumer protection law.
  • Improvement of services: troubleshooting, analytics, and development of new features.

Legal Basis for Processing

We rely on the following lawful bases under GDPR:

  • Performance of a contract (Art. 6(1)(b)) – to provide payment services to practices and patients.
  • Legitimate interests (Art. 6(1)(f)) – fraud prevention, network security, service improvement.
  • Compliance with legal obligations (Art. 6(1)(c)) – financial reporting, tax, anti-money laundering (via Stripe).
  • Consent (Art. 6(1)(a)) – where expressly required, e.g. for optional communications or cookies.

Sharing of Data

Billink uses trusted third-party service providers (sub-processors) to deliver its services. These include:

  • Stripe – payment processing, KYC/AML compliance.
  • AWS – secure cloud hosting.
  • Esendex / Commify – SMS delivery services.
  • Mailgun – transactional email delivery.
  • Meta (via 360dialog) – WhatsApp Business API messaging.
  • NBN Minds – contracted development services.

All sub-processors are bound by Data Processing Agreements ensuring GDPR compliance.

International Transfers

Some personal data may be transferred outside the European Economic Area (EEA) or UK (e.g. to the United States) when using providers such as Stripe, AWS, Mailgun, or Meta.

Where transfers occur, Billink ensures appropriate safeguards are in place, including the use of the EU Standard Contractual Clauses (SCCs) and equivalent UK transfer mechanisms.

Security Measures

Billink implements technical and organisational measures to protect data, including:

  • AWS cloud infrastructure with restricted access, MFA, and audit logging.
  • Encryption in transit (TLS 1.2/1.3) and encryption at rest across all key systems.
  • Regular penetration testing (last test July 2025, no critical issues).
  • Access controls for developers and staff.
  • Automated monitoring and alerting for anomalous activity.

Data Retention

  • Patient transaction data – retained as long as required for reconciliation, financial reporting, and legal obligations (typically 7 years under Irish and UK accounting law).
  • Practice and customer account data – retained for the duration of the customer contract plus a defined period for compliance purposes.
  • Logs and technical data – retained since inception, as these are required by customers for reconciliation, reporting, and audit purposes.
  • Support data – retained for as long as necessary to resolve issues and comply with legal requirements.

Data Subject Rights

Individuals have the following rights under GDPR:

  • Right of access.
  • Right to rectification.
  • Right to erasure (“right to be forgotten”).
  • Right to restriction of processing.
  • Right to data portability.
  • Right to object to processing based on legitimate interests.
  • Right to withdraw consent (where applicable).

Requests should be directed to the practice (where Billink acts as processor) or to Billink directly (where we act as controller).

Data Breach Response

Billink maintains a breach notification procedure. Any incident involving personal data is logged, investigated, and remediated. Where required, affected customers and supervisory authorities will be notified without undue delay and within statutory timelines.

Cookies & Online Tracking

Billink’s hosted payment pages and website use only essential cookies required for secure operation and functionality (e.g. session management, load balancing). We do not use cookies for advertising or analytics. A separate Cookie Policy provides further details.

Children’s Data

Billink does not knowingly collect or process personal data from individuals under 18 years of age. Our services are intended for use by healthcare providers and their patients in connection with healthcare billing and payments.

Governance & Oversight

Billink reviews and updates this Privacy Policy regularly to reflect changes in law, technology, and business practices. Customers will be notified of material changes where required.

Contact Information

For any queries or to exercise your data protection rights, please contact:

Data Protection Officer (DPO):
Dr. Sean Higgins
Billink Payments
10 Clanwilliam Square, Grand Canal Quay, Dublin 2, D02 N884, Ireland
Email: sean.higgins@billinkpayments.com